In this section an overview of audit requirements and processes with a supporting interview with a security professional will provide the basis and purpose for the User Guardian idea. This information will be used to summarise the problem and set goals on what the tool needs to achieve.
What is an Audit?
The Oxford English Dictionary gives the following definition of audit, "to make an official systematic examination of (accounts), so as to ascertain their accuracy" (Oxford English Dictionary, 2013).
Typical Audit Points
In the financial markets companies are regulated by government bodies to ensure that their trading activities do not have detrimental outcomes for the interests of their citizens. In the following example the UK rules have been highlighted, however similar rules exist in other territories such as US and Asia.
In the UK the Financial Conduct Authority (FCA, 2013) regulates UK companies, its remit is:
The FCA upholds these goals using legal rules set out in numerous government acts. In this space, IAM tools and regular audits provide an important function in helping companies to stay within compliance of laws stated in acts such as the Financial Services Act of 2012.
To understand how IAM tools play an important compliance role it must be understood that most “trading instruments” or systems are operated through electronic sources, and access is provisioned internally to individuals who use them within the trading organisation. The act defines a trading instrument as “(a) a recognised investment exchange, other than an overseas investment exchange” (UK Government, 2000).
To provide an example, an energy trading firm may use the exchange ICE to provide confirmations electronically (ICE, 2013). If the FCA decide to give notice to ICE to prevent UK companies using parts of the exchange it would be imperative for the company to have controls in place in order to provide evidence of whom, how, and when trading activities were ceased as supporting evidence to any subsequent investigations. Equally if an employee of a trading company was involved in any malpractice related to an investigation, processes and tools need to exist to record and then restrict a user’s access to trading systems.
A real life example and one of largest incidents in monetary terms was Nick Leeson's use of an error account to cover up “more than £800m” in losses (BBC News, 1999). IAM tools as enforcement measures for audit findings are critical in the efforts to safeguard a company and its employees against these types of operational risks, and any potential impact to the UK economy and its citizens.
The Audit Review Process
To understand what is involved in an IT Security audit the following interview was undertaken with an IT Security Manager for a large multinational trading company.
Question 1: How frequently are audits carried out in the company, and who are they undertaken by?
We have an internal audit team that run several a year on different areas of the business. These audits are set against their own road map and are guided against industry standards, plus any environmental events, for example SogGen and UBS incidents. We are also audited annually by an external company.
Question 2: What is the audit process, and typically what time period do auditors provide between the audit and closure of any audit findings?
The process is detailed below and typically takes about 6 weeks to complete:
The closure times are based on quarters and will typically be set to be completed within a year.
Question 3: What keys questions do auditors ask typically in regards to user access management?
Processes! You can guarantee an auditor will want to see a documented process around joiners, movers and leavers. Privileged access questions come up a lot. How do privileged accounts get created, reviewed and what can they do? User lists will be requested and tested against HR data for joiner/leaver tests.
Question 4: How many applications would a user access management audit cover?
We would be audited on critical systems. This currently stands at approximately 200. Of this number they would take a cross section and ask us for the information or evidence. In the five years I have been dealing with internal and external auditors here they always go for the applications they know the names of. These are not always the most high profile, so I can only assume they take the auditors notes from the previous year and repeat?
Question 5: What level of importance do auditors typically place on good user access management processes and controls?
High, if we fail on a security control on access we will get a high severity rating. This means the time frame cannot be extended and will be flagged at board level.
Question 6: What would be the consequences for the IT Security team, CISO or the organisation if an audit point for access management was left unresolved?
If we could not come up with a good mitigating reason then it would be brought up at board level and we would have to present our reasons why it was not addressed. If those reasons were due to negligence or bad prioritisation of workload then someone would get the boot. NB. We don’t miss audit point deadlines. We closed 48 different external/internal recommendations in 2012.
Question 7: What is the most difficult challenge in working out segregation of duties for users?
Mapping business roles versus application entitlements versus the user lifecycle. To gather all three is hard enough but to map them all together and then have that running dynamically in real time is not easy.
Question 8: How have access management reviews been carried out in the past, and what have been the most difficult tasks in completing the reviews?
Past access reviews have been manually undertaken as follows:
The whole process takes a long time. The longest part, or the part that is hard to make effective is getting the heads of functions or team leaders to confirm who should and shouldn’t have access. The process would often take up to 9 months and was effectively useless.
Question 9: Would an auditor expect to see how the output and processes from an IAM tool are used to improve user access controls, and if so would an audit be undertaken on the tool and its accuracy once established in an organisation?
They would only want an improvement if one was needed. They are more than happy if the tool operates with existing process/controls that have met their audit checks. The IdAM [Identity Access Management] tool would definitely be a target for external and internal audits. External audit have already asked to carry out an audit 4 weeks after the scheduled completion of the project.
Question 10: Are there any cross overs between IT security teams and compliance teams when it comes to user access management strategies, processes and controls?
Segregation of duties, in respect of FO [front office] and BO [back office] users/authorisers is one. Another one relates to a “Bingo list”. This is the point at which a user can trade end-to-end by accumulating the relevant access. This can all be requested and approved by data owners or heads of functions but the compliance guys need visibility of this. Compliance ultimately has the responsibility to let IT security know what is and is not allowed (Anonymous 2013).
References
Financial Conduct Authority, 2013. Our Remit. [Online]
Available at: http://www.fca.org.uk/about/why-we-do-it/our-remit
[Accessed 7 July 2013].
ICE, 2013. Global Markets in clear view. [Online]
Available at: https://www.theice.com/ice_link.jhtml
[Accessed 7 July 2013].
Oxford English Dictionary, 2013. audit, v.. [Online]
Available at: http://www.oed.com/view/Entry/13036?result=2&rskey=KYe8L0&
[Accessed 7 July 2013].
UK Government, 2000. Financial Services and Markets Act 2000. [Online]
Available at: http://www.legislation.gov.uk/ukpga/2000/8/part/18A
[Accessed 7 July 2013].
Anonymous, 2013. Audits within a commodities trading company [Interview]
(2 August 2013).